To be applicable from 13 May 2027
Introduction
The Information Technology Act, 2000 marked the beginning of legal recognition and regulation of the Internet and related media in India. Since then, significant developments have occurred in the legal landscape of this domain. The most recent addition is the introduction of the Digital Personal Data Protection Act, 2023. The primary objective of this legislation is to regulate the acquisition, processing, and retention of individual data by organizations and institutions to safeguard individual rights and promote responsible business practices. To achieve its stated purpose, the Act, in conjunction with the Data Protection Rules, 2025, establishes a comprehensive data regulation framework and compliance mechanisms for organizations.
An 18-month period has been given as per Rule 1(4) of DPDP Rules, 2025 to ensure proper compliance with the requirements under DPDP Act as well as Rules. Organizations and Individuals are encouraged to work on preparing their compliance checklist to avoid last minute hurdles and penalties.
Understanding Key Concepts
Before we dive into the compliance requirements, it’s crucial to comprehend the definitions of key terms commonly used within this Act.
- Data: Data referred under this Act particularly refers to Personal Data of an individual. It is defined under the Act as “a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means”. It basically means identifiable information of an individual such as ID’s, Numbers, addresses, IPs etc. directly or indirectly referring to them. In this Act, we are particularly concerned with Digital Personal Data of an individual.
- Data Personal: In simple terms, it refers to individual whose data is being collected. As per the Act, it means “the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.”
- Data Fiduciary: It means as per the Act, “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. “It can be a company, NGO, LLP, startups and even government bodies depending on their activities.
- Data Processor: It is basically concerned with outsourcing of Data Processing to a person/entity by a Data Fiduciary under a valid contract. Under this Act, this term is interpreted as “any person who processes personal data on behalf of a Data Fiduciary.”
Applicability of the Act
Section 3 of this Act states this Act will
- apply to the processing of digital personal data within the territory of India where the personal data is collected–– (i) in digital form; or (ii) in non-digital form and digitized subsequently;
- also apply to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India”
As a consequence, all organizations, institutions based in India as well as outside India, who are identified as Data Fiduciary or Data Processor and fulfill the above conditions, come under the purview of this Act.
Further as Stated by Section 4, this Act does not apply to
(a.) Personal data processed for domestic purposes or
(b.) Made publicly available by Data Principal themselves
Compliance Requirements
Following is a list of requirements that concerned parties are required to follow in order to ensure proper compliance with DPDP Act,2023:
Check if you’re covered under this Act:
First, it’s crucial to determine the role of the person or organization under the DPDP Act. This includes whether it’s a Data Fiduciary or a Data Processor, subject to meeting the conditions mentioned above. This is essential for understanding the extent of compliance required and the liability under the Act.
Ensure lawful processing of individual data:
This Act aims to protect individual personal data and rights. Consequently, several checks have been implemented to regulate the collection of data by the Data Principal.
First of all, this Act mandates the Consent of Data Principal for the processing of their data.
Section 4 prescribes that, “A person may process the personal data of a Data Principal only in accordance with the provisions of this Act and for a lawful purpose:
(a) for which the Data Principal has given her consent; or
(b) for certain legitimate uses.”
Furthermore, it mandates a notice for consent that includes the following details:
(a.) Description of the data to be collected
(b.) Description of the goods or services provided
(c.) Purpose of processing the data
(d.) Consequences of refusing consent.
This notice must be provided before or at the time of data collection. Additionally, the notice must contain links to options such as consent withdrawal, right request submission, and complaint to the board.
Some mechanisms that organizations may employ for compliance include:
(a.) Using a consent management system to collect consent and preserve evidence.
(b.) Aligning the website’s user interface and user experience to ensure that the notice is clearly readable and options are easily accessible.
Section 7 states that the Data can only be used for legitimate purposes to which the Data Principal has consented. Therefore, same data cannot be used for a different purpose without explicit consent of Data Principal. One exception for organizations is provided in case of Employment by virtue of Section 7(i), which states, “for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.”
Compliance with Rights of Data Principal:
Different rights of Data Principals while sharing their personal data are specified under Sections 11 to 14 of the Act. These provisions ensure that individuals can exercise control over their information and seek recourse in case of misuse. The key rights include:
(a) Right to Access – Data Principals have the right to access a summary of their personal data being processed and to know the details of the data fiduciaries involved.
(b) Right to Update, Correct, or Erase – They have the right to request updating, correction, or complete erasure of any personal data.
(c) Right to Redressal of Grievances – Individuals can seek resolution for any issue through proper grievance redressal mechanisms.
(d) Right to Nominate – A Data Principal has the right to nominate another individual to exercise their rights in relation to personal data.
To prevent violation of these rights and avoid legal action, organizations should take the following measures:
(a) Clearly mention these rights on their websites for informational purposes.
(b) Establish dedicated grievance redressal mechanisms with support teams and maintain proper record management for evidence purposes.
(c) Implement a proper system to store an individual’s personal data with options for updation, correction, and deletion as requested by the Data Principal.
Obligations of Fiduciaries and Processors:
Under this Act, Data Fiduciaries and Processors bear full responsibility for data processing. They are required to maintain valid contracts, address both operational and policy obligations, ensure proper usage of data, and preserve records of consent and grievances. In the event of a potential breach, they must promptly notify both the Data Principal and the Data Protection Board of India.
To meet these compliance requirements, organizations should:
(a)Conduct annual audits of contracts with data processors
(b)Retain logs of data usage, consent, and grievances for at least one year.
(c)Manage the data lifecycle to track personal data movement and usage at every stage.
(d) Implement reasonable safeguards, such as encryption and decryption.
(e) Report any potential breaches without delay.
Steps to be taken in case of Data Breach:
This Act defines Data Breach as “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” It is one of the most serious issues with regard to management of personal data.
This Act mandates the immediate reporting of any potential data breach to both the Data Principal and the Data Protection Board of India. Failure to comply with this requirement may result in a penalty of up to 200 Crores rupees. Additionally, if the Data Fiduciary or Processor is found to have breached their obligation to safeguard an individual’s personal data, they may face a penalty of up to 250 Crores rupees.
These stringent measures are in place to ensure that any potential data breach is promptly identified and reported. While an intimation must be given immediately without delay, a detailed report must be filed within 72 hours of the reported incident. Some of the key requirements include the establishment of an Incident Response Team comprising legal, IT, and other relevant staff, deploying breach detection tools, and taking all necessary precautions to secure compromised systems.
The DPDP Act,2023 contains a stringent set of penalties for strict compliance with the Act. Any failure or Breach such as Failure to report data breach, reasonable actions for protection of data etc fall under the Penalties mentioned in the Schedule attached with the Act.They extend to a maximum of rupees 250 crores, which is for failure to take reasonable precautions for safeguarding Personal Data.
Special provisions regarding children and persons with disabilities:
Both these categories of individuals receive special protection under the DPDP Act, 2023. These provisions include obtaining consent from parents or guardians, protection from targeted advertising, and the immediate deletion of data after its use. Compliance mechanisms for organizations include verifying guardians through legal documents, disabling behavioral and tracking of child data usage, maintaining records of guardians and consent given, and other measures.
Conclusion
In Conclusion, the DPDP Act 2023 serves a vital purpose in regulating and safeguarding Personal data and its usage in the present times where each and every activity generates significant amount of data. While it will take time for organizations to come to terms with this Act and its compliance, efforts are underway both by the Government and Professionals to make its adaptation a smooth process. This will evade hefty penalties that an organization would have to bear for non-compliance as well as loss of public confidence and goodwill necessary for conducting business activities.
| Article By: | Editorial desk of KNK LEGAL |
| Research support | By Mr. Kuber Kumar, currently pursuing BBA-LLB (H) from USLLS |
Legal Disclaimer: This article is intended solely for informational purposes and should not be construed as legal advice or a substitute for professional consultation. The content reflects our understanding of the law as of the date of writing, which may be subject to change due to legislative amendments or judicial pronouncements. Transmission of this article does not create an attorney-client relationship. We assume no responsibility or liability for any loss or damage resulting from reliance on the information contained herein. Readers are strongly encouraged to obtain specific legal advice tailored to their particular facts and circumstances. This Article is not intended to advertise or solicit legal work in any manner, whatsoever.